Fix potential crash in libbluray

[handbrake-jp/handbrake-jp-git.git] / libhb / dectx3gsub.c

diff --git a/libhb/dectx3gsub.c b/libhb/dectx3gsub.c
index fe413ad..e466ac5 100644 (file)
--- a/libhb/dectx3gsub.c
+++ b/libhb/dectx3gsub.c
@@ -41,6 +41,7 @@ typedef struct {
 #define READ_U16()      (pos[0] << 8) | pos[1];                                     pos += 2;
 #define READ_U32()      (pos[0] << 24) | (pos[1] << 16) | (pos[2] << 8) | pos[3];   pos += 4;
 #define READ_ARRAY(n)   pos;                                                        pos += n;
+#define SKIP_ARRAY(n)   pos += n;
 
 #define WRITE_CHAR(c)       {dst[0]=c;                                              dst += 1;}
 #define WRITE_START_TAG(c)  {dst[0]='<'; dst[1]=c;   dst[2]='>';                    dst += 3;}
@@ -97,7 +98,7 @@ static hb_buffer_t *tx3g_decode_to_utf8( hb_buffer_t *in )
             
             if ( numStyleRecords != 0 ) {
                 hb_log( "dectx3gsub: found additional StyleBoxes on subtitle; skipping" );
-                READ_ARRAY(size);
+                SKIP_ARRAY(size);
                 continue;
             }
             
@@ -118,7 +119,7 @@ static hb_buffer_t *tx3g_decode_to_utf8( hb_buffer_t *in )
             }
         } else {
             // Found some other kind of TextSampleModifierBox. Skip it.
-            READ_ARRAY(size);
+            SKIP_ARRAY(size);
         }
     }
     
@@ -127,6 +128,8 @@ static hb_buffer_t *tx3g_decode_to_utf8( hb_buffer_t *in )
      */
     int maxOutputSize = textLength + (numStyleRecords * NUM_FACE_STYLE_FLAGS * (MAX_OPEN_TAG_SIZE + MAX_CLOSE_TAG_SIZE));
     hb_buffer_t *out = hb_buffer_init( maxOutputSize );
+    if ( out == NULL )
+        goto fail;
     uint8_t *dst = out->data;
     int charIndex = 0;
     for ( pos = text, end = text + textLength; pos < end; pos++ ) {
@@ -164,6 +167,7 @@ static hb_buffer_t *tx3g_decode_to_utf8( hb_buffer_t *in )
     out->start = in->start;
     out->stop = in->stop;
     
+fail:
     free( startStyle );
     free( endStyle );
     
@@ -174,6 +178,7 @@ static hb_buffer_t *tx3g_decode_to_utf8( hb_buffer_t *in )
 #undef READ_U16
 #undef READ_U32
 #undef READ_ARRAY
+#undef SKIP_ARRAY
 
 #undef WRITE_CHAR
 #undef WRITE_START_TAG
@@ -202,19 +207,21 @@ static int dectx3gWork( hb_work_object_t * w, hb_buffer_t ** buf_in,
         out = hb_buffer_init( 0 );
     }
     
-    // We shouldn't be storing the extra NULL character,
-    // but the MP4 muxer expects this, unfortunately.
-    if ( out->size > 0 && out->data[out->size - 1] != '\0' ) {
-        // NOTE: out->size remains unchanged
-        hb_buffer_realloc( out, out->size + 1 );
-        out->data[out->size] = '\0';
-    }
-    
-    // If the input packet was non-empty, do not pass through
-    // an empty output packet (even if the subtitle was empty),
-    // as this would be interpreted as an end-of-stream
-    if ( in->size > 0 && out->size == 0 ) {
-        hb_buffer_close(&out);
+    if ( out != NULL ) {
+        // We shouldn't be storing the extra NULL character,
+        // but the MP4 muxer expects this, unfortunately.
+        if ( out->size > 0 && out->data[out->size - 1] != '\0' ) {
+            // NOTE: out->size remains unchanged
+            hb_buffer_realloc( out, out->size + 1 );
+            out->data[out->size] = '\0';
+        }
+        
+        // If the input packet was non-empty, do not pass through
+        // an empty output packet (even if the subtitle was empty),
+        // as this would be interpreted as an end-of-stream
+        if ( in->size > 0 && out->size == 0 ) {
+            hb_buffer_close(&out);
+        }
     }
     
     // Dispose the input packet, as it is no longer needed